More Details About App Signing Key Management

Google announced some changes to key signing management for Google Play app developers on the first day of this year's Google I/O, and now they've made changes to their support page for Google Play developers to reflect those announcements. Developers can store and administer their own keys through the Developer Console, or hand those responsibilities over to Google. The kicker with having Google manage the keys, however, is that developers cannot go back to managing their own keys for a given app once they've given the keys to Google. There are detailed instructions for both on the support page, of course. Google also includes a handy guide to various terms related to Google Play app signing.

Managing your own keys or continuing to do so is a simple enough affair; Developers simply upload a given APK in signed form. Developers that want to have Google manage their keys for them follow a similar process for brand new apps, but will have to opt in to the program first. They upload the signed APK, then Google rips out their signature and replaces it with an original key file generated from the signature. To get an existing app into Google's app signing ecosystem, developers have to first opt that app into the program, then upload a clean copy of the app alongside the signing key in a separate file. Google will verify everything and store the key in their server. From there, the developer simply updates all their key stores to the new key that Google has, and signs an update to the app with that key. From there, Google will handle signing and key distribution. Developers can download a copy of the Google-signed APK from their developer console.

Google also gives a quick primer on some terms that developers should know. An app signing key is the original key held by the developer on their machine, an upload key is the one generated when handing the app over to Google for signing, the private key is used for APK signing, and the public key is what the users see if they decompile an APK. A certificate, meanwhile, bundles some identifying information with the public key. Finally, the Play Encrypt Private Key tool is what's used to encrypt and decrypt keys while transferring them to and from Google's servers.

Daniel has been writing for Android Headlines since 2015, and is one of the site's Senior Staff Writers. He's been living the Android life since 2010, and has been interested in technology of all sorts since childhood. His personal, educational and professional backgrounds in computer science, gaming, literature, and music leave him uniquely equipped to handle a wide range of news topics for the site. These include the likes of machine learning, voice assistants, AI technology development, and hot gaming news in the Android world. Contact him at [email protected]